MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected.

Mitigation

Users of affected standalone RabbitMQ versions should apply the following mitigation:

Upgrade RabbitMQ 3.x versions to 3.5.8 or later

Upgrade RabbitMQ 3.6.x versions to 3.6.6 or later

Users of affected Pivotal Cloud Foundry versions should apply the following mitigation: